Commit Graph

826 Commits

Author SHA1 Message Date
Slavi Pantaleev 7891268873 Do not hardcode https:// in all remaining places, refer to matrix_static_files_scheme
2024-05-25 16:14:26 +03:00
Slavi Pantaleev 4d91e8b579 Rename some options
Fixup for d9598f0bbd

Related to
2024-04-20 08:17:14 +03:00
Slavi Pantaleev d9598f0bbd Add support easily passing additional Docker daemon options
Provoked by:
2024-04-20 08:14:17 +03:00
Slavi Pantaleev 7d9eb0893e Switch Hookshot from to cache.redisUri
Related to:

2024-04-17 15:36:49 +03:00
Aine 858b300a5a
exim-relay: fix dkim permissions, fix sender address 2024-04-16 10:20:25 +03:00
Slavi Pantaleev 80ce28405c Restore missing wiring between matrix_dendrite_container_extra_arguments_auto and matrix_homeserver_container_extra_arguments_auto
I believe this wiring had gotten lost at some point before.

2024-04-08 08:03:09 +03:00
Slavi Pantaleev d0fd25dcda Add some () for better readability 2024-03-26 12:37:02 +02:00
Slavi Pantaleev 9a8c9850aa Pass and remap `matrix_architecture` to KeyDB role
Only `amd64` and `arm64` actually work.

The KeyDB role includes a validation task and will complain about
unsupported architectures (like `arm32`).

`arm32` users can stick to Redis for now (`keydb_enabled: false` + `redis_enabled: true`) until:
- the KeyDB role starts supporting self-building.. although building such large
  projects on weak CPUs is probably impractical
- a prebuilt arm32 image is made available by other means
2024-03-26 12:15:46 +02:00
Aine 0b4309c8ef
Add keydb (#3244)
* add keydb as redis replacement

* sort requirements
2024-03-26 11:25:18 +02:00
Catalan Lover 3b7468787f
Improve Pantalaimon Support in Draupnir and add Mjolnir support 2024-03-24 21:55:21 +01:00
Slavi Pantaleev 3758b0cfeb Squashed commit of the following:
commit cf8637efaca0a0be3609fd6add0dff893a0a9194
Author: Slavi Pantaleev <>
Date:   Sun Mar 24 19:14:57 2024 +0200

    Make devture_systemd_docker_base_ipv6_enabled automatically reconfigure geerlingguy/ansible-role-docker

    Related to

commit dc7af3bc7d25f321bf409477d823e43ea8a05803
Author: Slavi Pantaleev <>
Date:   Sun Mar 24 19:10:31 2024 +0200

    Replace matrix_ipv6_enabled with devture_systemd_docker_base_ipv6_enabled

    Related to

commit 07e900d6a2
Author: Slavi Pantaleev <>
Date:   Sun Mar 24 19:01:51 2024 +0200

    Improve matrix_ipv6_enabled comments

commit 3f03ca7f69
Author: Tilo Spannagel <>
Date:   Sat Mar 9 19:27:50 2024 +0000

    Add setting to enable ipv6
2024-03-24 19:15:43 +02:00
Slavi Pantaleev 0049ddf002 Add Pantalaimon support
This is actually authored by Julian Foad here
(, but was in
need of a rebase and various adjustments caused by huge playbook
refactoring that landed in the past months.

This rework is completely untested.

2024-03-24 18:35:34 +02:00
Catalan Lover 9d5902f096
Add support for D4A/Draupnir For All to the playbook. (#3204)
* Draupnir for all Role

* Draupnir for all Documentation

* Pin D4A to Develop until D4A patches are in a release.

* Update D4A Docs to mention pros and cons of D4A mode compared to normal

* Change Documentation to mention a fixed simpler provisioning flow.

Use of /plain allows us to bypass the bugs encountered during the development of this role with clients attempting to escape our wildcards causing the grief that led to using curl.

This reworded commit does still explain you can automatically inject stuff into the room if you wanted to.

* Emphasise the State of D4A mode

* Link to Draupnir-for-all docs and tweak the docs some

* Link to Draupnir-for-all from Draupnir documentation page

* Announce Draupnir-for-all


Co-authored-by: Slavi Pantaleev <>
2024-03-05 16:09:52 +02:00
Slavi Pantaleev 80f6f98ac4 Remove welcome_user_id from Element and Schildichat

Technically, it may still work for Schildichat, because it's stuck in
the past. It will catch up soon anyway.
2024-02-27 19:30:52 +02:00
Slavi Pantaleev 367af472ea Add support for bridging to Facebook Messenger and Instagram via mautrix-meta
Related to:

2024-02-19 10:25:00 +02:00
Slavi Pantaleev e1363c9b9b Add lt-cred-mech authentication mechanism to Coturn
All homeserver implementations have been updated to support this as

It's just Jitsi that possibly doesn't work with anything other than `auth-secret`.

2024-02-18 09:52:00 +02:00
Slavi Pantaleev 578d00a54a Default to root-path-redirection on the base domain if index.html creation is disabled
This is a break in backward-compatibility for people disabling
`index.html` creation via the playbook but are managing their static
website files in another way (AUX role, etc).
2024-01-31 12:13:20 +02:00
Slavi Pantaleev 674658039e Switch from grafana_container_additional_networks to grafana_container_additional_networks_auto 2024-01-30 21:09:33 +02:00
Slavi Pantaleev 2ba4b94b99 Use prometheus_container_additional_networks_auto, instead of prometheus_container_additional_networks 2024-01-30 20:31:47 +02:00
Slavi Pantaleev 1468c08065 Wire matrix_server_fqn_matrix_federation to matrix_SERVICE_*_public_federation_api_traefik_hostname for ease of use 2024-01-26 16:04:55 +02:00
Slavi Pantaleev a9eba7ab32 Fix turn: fallback URIs missing due to Jinja operator priorities 2024-01-26 13:07:09 +02:00
Slavi Pantaleev a1179289a1 Split some homeserver _additional_networks variables into _auto and _custom 2024-01-26 12:55:01 +02:00
Slavi Pantaleev 07a77cb4d3 Auto-enable metrics for services when matrix_metrics_exposure_enabled, even when not hosting Prometheus
Previously, we only enabled metrics when the playbook was installing
Prometheus (as indicated by `prometheus_enabled`).

We are exposing metrics when `matrix_metrics_exposure_enabled` is
toggled to `true` though, but people need to toggle various
`_metrics_enabled` variables to make services actually serve metrics.
No more. If `matrix_metrics_exposure_enabled` is `true`, we'll
automatically enable metrics for all services.
2024-01-23 16:43:23 +02:00
Slavi Pantaleev 01b9a09863 Intentionally start Coturn after the homeserver when devture_systemd_service_manager_service_restart_mode is 'one-by-one' 2024-01-23 15:55:31 +02:00
Pierre 'McFly' Marty f10bc264da
chore(deps): update Telegrambot config 2024-01-20 12:58:41 +01:00
Slavi Pantaleev 826f757fbb
Merge branch 'master' into cvwright/room-workers-v2 2024-01-20 10:35:56 +02:00
Slavi Pantaleev 0ec62855bb Avoid configuring SSL certificate settings for services when certs dumper is disabled
Some of these variables were ending up configuring services to expect
certificates.. yet there's no way they could get them.
2024-01-18 15:27:34 +02:00
Slavi Pantaleev 28a26dde4e Make it safer to reference variables from alternative homeserver implementations
This allows people to not include the `matrix-conduit` or
`matrix-dendrite` roles in their custom playbook (based on our roles)
and still not have the playbook choke on variables from these roles

For getting rid of the `matrix-synapse` role in a similar way,
more work is likely necessary.
2024-01-17 16:57:06 +02:00
Charles Wright 025a7e5c66
Merge branch 'spantaleev:master' into cvwright/room-workers-v2 2024-01-17 08:02:47 -06:00
Slavi Pantaleev 042c74f90c Remove some useless oidc variables and /_synapse/oidc route handling
After some checking, it seems like there's `/_synapse/client/oidc`,
but no such thing as `/_synapse/oidc`.

I'm not sure why we've been reverse-proxying these paths for so long
(even in as far back as the `matrix-nginx-proxy` days), but it's time we
put a stop to it.

The OIDC docs have been simplified. There's no need to ask people to
expose the useless `/_synapse/oidc` endpoint. OIDC requires
`/_synapse/client/oidc` and `/_synapse/client` is exposed by default
2024-01-17 14:45:19 +02:00
Slavi Pantaleev 0bf8aec8f3 Adjust service priorities to better reflect our new dependencies
Traefik also serves an internal entrypoint that all addon services
(bridges, bots, etc.) depend on, so it makes sense to have it be
available early on. It is injected as a systemd `required` dependency
for all services, so it would have been pulled earlier anyway (despite
the priority). Nevertheless, it's better to make the playbook-defined
priotities for services match, so that services are explicitly asked to
start in a more correct order.

With these changes in place now, all "start service" tasks executed by
Ansible cause a "change", indicating that all these services are started
in the correct order and none of them is unintentionally started as a
dependency for another.
2024-01-17 11:52:46 +02:00
Slavi Pantaleev 17859eccca Put matrix-static-files in matrix_playbook_reverse_proxy_container_network unless matrix_playbook_reverse_proxy_type is "none"
We likely weren't handling the `matrix_playbook_reverse_proxy_type: other-traefik-container`
case well before. Now, we should be.
2024-01-17 08:46:48 +02:00
Slavi Pantaleev da1f570db6 Make sure matrix-static-files is connected to the (other Traefik) reverse-proxy network 2024-01-17 07:23:42 +02:00
Slavi Pantaleev 0315d03cdb Make sure prometheus-postgres-exporter is connected to the Postgres network (if necessary)
2024-01-17 07:17:39 +02:00
Charles Wright db70230ae1 Add room-workers as a new preset, with new room workers, sync workers, client readers, and federation readers. Based on 2024-01-16 09:17:24 -06:00
Slavi Pantaleev b1e08db01d Fix incorrect assumption for matrix_playbook_reverse_proxy_type == "other-traefik-container" setups
Related to
2024-01-15 22:29:23 +02:00
Slavi Pantaleev 0b7657396b Fix reference to unknown variable (matrix_well_known_ident)
This also supposedly improves the default container network for
`matrix-static-files` for the `other-traefik-container` reverse-proxy
2024-01-15 22:04:22 +02:00
Slavi Pantaleev b91ad453be Adjust TLS variables for homeservers to follow devture_traefik_config_entrypoint_web_secure_enabled (via matrix_federation_traefik_entrypoint_tls) 2024-01-15 09:39:36 +02:00
Slavi Pantaleev 3fa21d19be Wire matrix_bot_maubot_hostname via group vars 2024-01-14 21:33:09 +02:00
Slavi Pantaleev 25697861d7 Fix some variable typos in matrix-prometheus-nginxlog-exporter 2024-01-14 21:32:02 +02:00
Slavi Pantaleev 4f9b7ba656 Add missing container label wiring for mautrix-googlechat and mautrix-hangouts 2024-01-14 21:22:08 +02:00
Slavi Pantaleev f4f3d57520 Remove all traces of matrix-nginx-proxy, add validation & uninstallation tasks 2024-01-14 18:42:14 +02:00
Slavi Pantaleev bdc573d1b1 Wire some matrix-synapse-reverse-proxy-companion label variables based on matrix-synapse variables 2024-01-14 12:31:05 +02:00
Slavi Pantaleev 038c63888a Remove definition of old variable (matrix_synapse_admin_nginx_proxy_integration_enabled) 2024-01-14 12:12:15 +02:00
Slavi Pantaleev 69ca30d1b1 Add support for the internal Traefik entrypoint to matrix-media-repo 2024-01-14 11:57:51 +02:00
Slavi Pantaleev 6b5f42fa81 Indirectly make use of matrix_homeserver_federation_enabled in matrix-media-repo and add some comments around Traefik labels 2024-01-14 11:54:02 +02:00
Slavi Pantaleev c238978ac8 Add new global variable for controlling federation regardless of homeserver implementation
The old variables still work. The global lets us avoid
auto-detection logic like we're currently doing for

In the future, we'd just be able to reference
`matrix_homeserver_federation_enabled` and know the up-to-date value
regardless of homeserver.
2024-01-14 11:52:40 +02:00
Slavi Pantaleev df5d8bfc04 Remove matrix-homeserver-proxy role in favor of the new internal Traefik entrypoint
This was meant to serve as an intermediary for services needing to reach
the homeserver. It was used like that for a while in this
`bye-bye-nginx-proxy` branch, but was never actually public.

It has recently been superseded by homeserver-like services injecting
themselves into a new internal Traefik entrypoint
(see `matrix_playbook_internal_matrix_client_api_traefik_entrypoint_*`),
so `matrix-homeserver-proxy` is no longer necessary.


This is probably a good moment to share some benchmarks and reasons
for going with the internal Traefik entrypoint as opposed to this nginx

1. (1400 rps) Directly to Synapse (`ab -n 1000 -c 100 http://matrix-synapse:8008/_matrix/client/versions`
2. (~900 rps) Via `matrix-homeserver-proxy` (nginx) proxying to Synapse (`ab -n 1000 -c 100 http://matrix-homeserver-proxy:8008/_matrix/client/versions`)
3. (~1200 rps) Via the new internal entrypoint of Traefik (`matrix-internal-matrix-client-api`) proxying to Synapse (`ab -n 1000 -c 100 http://matrix-traefik:8008/_matrix/client/versions`)

Besides Traefik being quicker for some reason, there are also other
benefits to not having this `matrix-homeserver-proxy` component:

- we can reuse what we have in terms of labels. Services can register a few extra labels on the new Traefik entrypoint
- we don't need services (like `matrix-media-repo`) to inject custom nginx configs into `matrix-homeserver-proxy`. They just need to register labels, like they do already.
- Traefik seems faster than nginx on this benchmark for some reason, which is a nice bonus
- no need to run one extra container (`matrix-homeserver-proxy`) and execute one extra Ansible role
- no need to maintain a setup where some people run the `matrix-homeserver-proxy` component (because they have route-stealing services like `matrix-media-repo` enabled) and others run an optimized setup without this component and everything needs to be rewired to talk to the homeserver directly. Now, everyone can go through Traefik and we can all run an identical setup

Downsides of the new Traefik entrypoint setup are that:

- all addon services that need to talk to the homeserver now depend on Traefik
- people running their own Traefik setup will be inconvenienced - they
  need to manage one additional entrypoint
2024-01-14 10:53:14 +02:00
Slavi Pantaleev 17c9e3f168 Add support for the internal Traefik entrypoint to synapse-reverse-proxy-companion 2024-01-14 10:48:55 +02:00
Slavi Pantaleev 4d66c14fd5 Add support for the internal Traefik entrypoint to Conduit 2024-01-14 10:48:55 +02:00